GDPR: Why Every School Must Act Now to Prepare for New Data Protection Laws

On June 07 by Mark Orchison

New data protection laws are soon to be introduced which will have major implications for all schools. The EU General Data Protection Regulation (GDPR) comes into effect on May 25th 2018 and every school will have to comply or face financial penalties, which could be substantial. The legislation will be binding on all schools even after Brexit.

What is GDPR?

GDPR is the result of a concerted effort by the EU Commission to raise the importance of data protection in the public, private and third sectors. The legislation goes much further than all previous data protection legislation.

What makes compliance particularly onerous is that schools will not only have to comply with the provisions of GDPR but prove to the regulator that they are doing so. GDPR compliance covers the processing of all personal data whether it is stored on a server, database, school website or even on paper.

Crucially, schools will have to undertake data protection impact assessments when they implement new software, make changes to the IT infrastructure or introduce any new technology that involves personal data.

Your school would be breaking the law if unable to demonstrate thorough documentation on the effective management of your information systems.

Penalties for Non-Compliance

Penalties for non-compliance are the most onerous ever stipulated for breaches of data protection law. For example, TalkTalk was fined £400,000 for breaches of the Data Protection Act 1998. Under GDPR that fine could have risen to £71,800,000.

For schools, the effects of non-compliance to GDPR can cost up to 4% of turnover and also lead to criminal prosecution of school employees.

Schools will be required to notify breaches of GDPR to the regulator within 72 hours, and the extension of data protection rights will present significant managerial and operational challenges.

In the example of a serious cyber security breach, your school would have to report it to the ICO (the UK supervisory body for GDPR) within the 72-hour timescale.

On investigation, it is highly likely the ICO would take action should your school have limited policies, processes and procedures relating to the management and security of information systems, or be unable to evidence the management, administration and compliance of the systems operation.

The ICO action could be advisory, take the form of restrictions or be an actual financial fine.

Taking the Risk Out of GDPR

Failure to comply with GDPR is fraught with risk but few schools know what compliance involves or how to ensure they achieve it.

The most effective way to take the risk out of GDPR for schools is to appoint a Data Protection Officer (DPO) which, for some types of organisation, is mandatory in any case.

This is an area where we can help you. 9ine is the leading UK specialist in technology consultancy for schools and, as part of our ICT Strategic Partnership, we advise on every aspect of GDPR and we can ensure you comply with the legislation.

Given the operational costs of compliance and the potential fines for non-compliance, letting us guide and support you through this process removes a significant burden on your school.

As an example of the complexity of the regulations, the currently-available guidance states: “The likelihood and severity of the risk to the rights and freedoms of the data subject should be determined by reference to the nature, scope, context and purposes of the processing. Risk should be evaluated on the basis of an objective assessment, by which it is established whether data processing operations involved a risk or a high risk.”

In addition, we’re advised: “The identification of best practices to mitigate the risk, could be provided in particular by means of approved codes of conduct, approved certifications, guidelines provided by the Board or indications provided by a data protection officer.”

As you can see, this is a potential minefield. Fortunately, it's one we can guide you through safely.

Your school will need a documented risk methodology and risk log associated with the implications of GDPR. You will also be required to have a detailed understanding of the contextual impact of the legislation and comprehensive documentation to evidence this.

Furthermore, you will need to implement appropriate technical and organisational measures - reviewed and updated where necessary - to ensure and to be able to demonstrate that processing is performed in accordance with the regulations.

These and other implications of GDPR for schools are why one of our key developments has been the creation of a new Certified GDPR Practitioner (Association of Project Management) team with the skills and expertise to support schools.

Given that GDPR spans change management, technical systems upgrades, operational management, cyber security and training, we are ideally placed to provide you with the confidence on the path to compliance.

Keep Up To Date with GDPR and Cyber Security Information

As the deadline for compliance approaches, we will be regularly publishing articles and updates on GDPR and cyber security.